There are two important takeaways from the opinion dismissing the consolidated In re iPhone Application Litigation on September 20, 2011: (1) breach of privacy alone is not treated as a “injury in fact”; and (2) breach of privacy in data does not constitute the necessary economic “loss” required for a civil claim under the Computer Fraud and Abuse Act.

No Named Plaintiff Had An Actual “Injury in Fact”

The Plaintiffs advanced 3 arguments for how they suffered an injury in fact:

(1) misappropriation or misuse of personal information; (2) diminution in value of the personal information, which is an “asset of economic value” due to its scarcity; and (3)
“lost opportunity costs” in having installed the apps, and diminution in value of the iDevices because they are “less secure” and “less valuable” in light of the privacy concerns.

None of those arguments amounted to an injury in fact, according to the court on page 6 of the opinion. The primary reasoning was because they all argued that there were injuries in theory, so to speak, but none of the named Plaintiffs could say how they themselves had been injured by the breach in their own privacy by the access to or tracking of their own personal information.

Here is what we can take from this: the breach of one’s privacy alone–without something more to cause an actual harm beyond the breach itself–is not yet considered to be actionable damage.

Computer Fraud and Abuse Act

The court analyzed the Computer Fraud and Abuse Act claim and, on page 16 of the opinion found that the Plaintiffs’ failed to sufficiently allege economic damages to one or more persons during any one-year period aggregating at least $5,000 in value.

This should come as no surprise and is a fairly well settled reading of the CFAA. In fact, I actually predicted this same outcome in 3 separate blog posts last Spring:

So, when it comes to using the Computer Fraud and Abuse Act for privacy claims, I hate to say I told you so but, well, I told you so … we’re just not there yet. But, just because you can’t get there under the CFAA doesn’t mean all is lost — remember, Who’s Gonna Get It?

Please share this!

Like this:

Published by Shawn E. Tuma

Shawn Tuma is an attorney who is internationally recognized in cybersecurity, computer fraud and data privacy law, areas in which he has practiced for nearly two decades. He is a Partner at Spencer Fane, LLP where he regularly serves as outside cybersecurity and privacy counsel to a wide range of companies from small to midsized businesses to Fortune 100 enterprises. You can reach Shawn by telephone at 972.324.0317 or email him at stuma@spencerfane.com.
View all posts by Shawn E. Tuma

I’ll apologise in advance for any silly statements, as I’m not a lawyer – nor at this moment, particularly quick-witted.
Would not the “damage” suffered from loss of personal data be along the lines of “pain and suffering” awards? They seem to me to be rough parallels. You can’t define “pain” in specific quantities, be it physical, mental, or emotional. In the same line, I would argue that “loss of value” of personal data would be hard to value but definitely present.
Or is that the core of the decision, that loss of personal data does not have any intrinsic value (barring any fraud committed with said data)?
Or am I just a bit over-medicated, and unable to see the answer standing boldly in front of my face? (A “yes” answer is perfectly acceptable and probably closest to the truth! 🙂 )

John, your second point hits it — the Court wasn’t saying that they could not in theory make a claim for such a damage but, rather, that they did not. Hypothetically speaking, perhaps if they had been driving a car and immediately had a panic attack, for their first time in their life, strike them the moment they learned of the personal data loss, which then caused them to crash the car, break their leg, total out their car, and spend the next year in therapy, they just might get there!

Meta

DISCLAIMER

This Site is only provided for educational purposes and as a public resource for general information about Shawn E. Tuma. This site, or anything provide through this site, does not constitute legal advice and is not intended to constitute advertising or solicitation for legal services. Nothing in this Site should be construed by you as a source of legal advice. You should not rely or act upon the contents of this Site without seeking advice from your own attorney. Use and access to this Site or any materials or information provided on this Site does not create an attorney-client relationship between you and Shawn E. Tuma, or the law firm at which Shawn E. Tuma may be employed. Any information submitted by you to Shawn E. Tuma via this Site, an email, or any form of social media communication will not be considered an attorney-client communication or otherwise be treated as confidential or privileged in the absence of an executed Engagement Agreement between you and Shawn E. Tuma. The views expressed on this site are those of the author alone and not his employer.
Google